Changes

From SME Server
Jump to navigationJump to search

User talk:Mmccarn (view source)

Revision as of 17:44, 26 November 2017

1,080 bytes added ,  17:44, 26 November 2017
→‎Agent Configuration
Line 28: Line 28:  
  /etc/init.d/wazuh-agent start
 
  /etc/init.d/wazuh-agent start
    +
===SME Customizations===
 +
I added these instructions to /var/ossec/etc/ossec.conf:
 +
<nowiki>  <localfile>
 +
    <log_format>djb-multilog</log_format>
 +
    <location>/var/log/dovecot/current</location>
 +
  </localfile>
    +
  <localfile>
 +
    <log_format>djb-multilog</log_format>
 +
    <location>/var/log/tinydns/current</location>
 +
  </localfile>
 +
  <localfile>
 +
    <log_format>djb-multilog</log_format>
 +
    <location>/var/log/dnscache/current</location>
 +
  </localfile>
 +
 +
  <localfile>
 +
    <log_format>command</log_format>
 +
    <command>grep -h logterse /var/log/*qpsmtpd/current</command>
 +
    <alias>s/qpsmtpd</alias>
 +
    <frequency>360</frequency>
 +
  </localfile>
 +
</nowiki>
 +
 +
And this instruction to /var/ossec/etc/local_internal_options.conf:
 +
<nowiki># from https://documentation.wazuh.com/2.0/user-manual/reference/ossec-conf/localfile.html
 +
# 'it may not be permissible in all environments to allow the Wazuh manager to run
 +
#  arbitrary commands on agents in their root security context.'
 +
logcollector.remote_commands=1
 +
</nowiki>
 +
 +
And restarted the agent using
 +
/etc/init.d/wazuh-agent restart
    
=Older=
 
=Older=
Retrieved from "https://wiki.koozali.org/Special:MobileDiff/34197"

Navigation menu